<emily> abathur: another thing I thought about re: the keychain/volume approach, should probably set the key to not just be accessible be any application
<emily> security(1) can do that, but not sure how it'd interact with the system daemon; maybe it'd need putting in its own binary/shell script to be able to be granted perms like that
<abathur> I suspect so yeah
<abathur> I've had that thought
<emily> the shopify script sets it to some process named APFSAgent or something
<emily> which didn't seem to do anything for me
<abathur> it is at least in the system keychain, so AFAIK whatever was trying to check it would still need to be using root/sudo
<abathur> well
<abathur> my best guess is that shopify is just mirroring what the system does if you create an encrypted volume, try to mount it, and let the system save the credentials
<abathur> so, if you don't add APFSUserAgent
<abathur> *and* you don't mount it with a launchdaemon
<emily> ah, mhm
<abathur> when the system finally gets around to trying, it'll prompt you to ask if APFSUserAgent can access <credential label>
<emily> probably good to include APFSUserAgent in there anyway, if we're mirroring the UUID setup and so on
<abathur> and give you a chance to say allow/deny/always allow
<emily> (so that things can still potentially work sans-daemon)
<abathur> kinda :]
<abathur> I actually just committed that, but lilyball proposed something that I think makes sense
<abathur> so my reluctance to add them was because I thought it was marginally better for the system to prompt you about the credential than to just silently start auto-mounting the drive and potentially cause the race condition issues
<abathur> but lilyball suggested just adding noauto to the fstab
<abathur> so, it'd have the right credentials set up to auto-mount if needed, but will hopefully still require some user action, giving the user a chance to fix whatever's wrong with the launchdaemon?
<abathur> (I have yet to actually test this; working towards that now)
<abathur> I guess it's easy enough to test the access bit
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nix-darwin
<abathur> oh, I guess we'll get an interesting test
<abathur> I think, when I'm not using -T, it auto-adds /usr/bin/security to that list
<abathur> but the code I just started using does specify APFSUserAgent and CFUserAgent or whatever--so I guess it may prompt and fall over unless root wins
<emily> I half suspect that it just works anyway from launchdaemons
<emily> from my past fiddling
<emily> but only one way to find out I suppose
<abathur> :]
manveru has quit [Ping timeout: 260 seconds]
manveru has joined #nix-darwin
<abathur> it didn't work without adding security
<abathur> also, adding noauto did have the intended effect
<abathur> I guess it's debatable how well it'll actually drive people to look into it
<abathur> it does fail fairly silently by itself, so I guess someone who rarely uses Nix and has no regular dependency on the volume could have it broken for a while before they notice; but I guess that's also true of all kinds of things
kalbasit has joined #nix-darwin
supersandro2000 has quit [Quit: The Lounge - https://thelounge.chat]
supersandro2000 has joined #nix-darwin
<emily> having to add security is very unfortunate; basically means no access controls
<emily> if we made the mounter a tiny C/Swift/Rust binary we could add it directly right? it didn't work when I tried adding a shell script unfortunately
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nix-darwin
Chiliparrot has joined #nix-darwin
dhess has joined #nix-darwin
philr has quit [Ping timeout: 246 seconds]
philr has joined #nix-darwin
<abathur> I think so
philr has quit [Ping timeout: 260 seconds]
cbarrett has quit [Read error: Connection reset by peer]
cbarrett has joined #nix-darwin
<johnw> greetings all
<abathur> greetings :)
<antifuchs> emily: correct, if the binary uses the keychain access framework (I forgot the name), that's what you'd allowlist
<antifuchs> I believe you have to guarantee a stable pathname on the binary though
<antifuchs> (or make it an app bundle and you get to allowlist the app ID... I think)
Chiliparrot has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
<abathur> there's also some sort of partition list thing; I haven't tried to understand since it obviously doesn't fit the current use case, https://mostlikelee.com/blog-1/2017/9/16/scripting-the-macos-keychain-partition-ids
philr has joined #nix-darwin